Missing Encryption of Sensitive Data Vulnerability in Apache Tomcat
CVE-2026-34486

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34486?

A vulnerability has been identified in Apache Tomcat that arises from missing encryption mechanisms for sensitive data, which could lead to data exposure. This issue was introduced as a result of the fix for another vulnerability, allowing the EncryptInterceptor to be bypassed. Users running versions 11.0.20, 10.1.53, and 9.0.116 are advised to upgrade to the latest versions (11.0.21, 10.1.54, or 9.0.117) to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Apache Tomcat 11.0.20

Apache Tomcat 10.1.53

Apache Tomcat 9.0.116

References

https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvw...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Bartlomiej Dmitruk at striga.ai

CVE-2026-34486 Data

JSON